Ask HN: How to disclose a phishing vulnerability
So: am I obliged to treat this like a security vulnerability? Warn said institutions of the problem, give them a grace period to make changes, all that? Or should I just announce it publicly? Morally, what's the right thing to do? Legally, am I on any shaky ground one way or the other?
Oh, I should also mention that I have no expectation of this information actually convincing said institutions to change their ways. It's not like an open port on their server or something, and I am guessing they've sunk plenty of money into their system and aren't going to revamp it because of one windbag on the internet. Honestly, I'm concerned that if they give any response at all, it will be to threaten me with legal action or something if I don't keep it quiet.
7 comments
[ 3.9 ms ] story [ 30.2 ms ] threadTheir response was to lock my account for a day for "suspicious activity". Once they unlocked it, they changed my password and informed me that I must have carelessly given my credentials to an attacker (which had nothing to do with the problem I reported). Their email was extremely rude and threatening. As a result, I would never dare inform the financial institutions of their problems unless I worked for their security team, for fear of being prosecuted. So as a follow-up question: what has been the response you've received in the past from such action? And indeed, how do you avoid coming across as a malicious hacker?